Single User Mode Requirements

In a conventional Cloudera Manager deployment, the Cloudera Manager Agent, which manages Hadoop processes on each host, runs as the root user. However, some environments restrict access
to the root account.

Cloudera Manager 5.3 provides single user mode, which satisfies the requirements of such environments. In single user mode, the Cloudera Manager Agent and
all the processes run by services managed by Cloudera Manager are started as a single configured user and group. Single user mode prioritizes isolation between Hadoop and the
rest of the system over isolation between Hadoop processes running on the system.

Within a Cloudera Manager deployment, single user mode is global and applies to all clusters managed by that instance of Cloudera Manager.

By default, the single user is cloudera-scm and the configuration steps described in the following sections assume that user. However, other users are
supported. If you choose another user, replace cloudera-scm in the following steps with the selected user, and perform the additional steps in Using a Non-default Single User.

The following sections describe limitations of single user mode and the required configuration steps for the supported installation scenarios at specific points during the
installation process.

Configuration Steps Before Running the Installation Wizard

Before configuring a cluster to run in single user mode, the following steps must be performed on all hosts in the cluster:

Give the single user passwordless sudo access. You must create the user if it doesn’t exist. One common way of achieving this is to add the user to the configured sudoers group by
running the command:

usermod -a -G sudo cloudera-scm

or adding a new sudo configuration for the cloudera-scm group by running the command visudo and then adding the following line:

%cloudera-scm ALL=(ALL) NOPASSWD: ALL

Sudo must be configured so that /usr/sbin is in the path when running sudo. One way
to achieve this is by adding the following configuration to sudoers:

Edit the /etc/sudoers file using the visudo
command

Add this line to the configuration file:

Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin

Set up per user limits for su prior to setting up the Agent.

Edit/etc/pam.d/su.

Uncomment:

session required pam_limits.so

Roles that run on Tomcat require some directories to exist in non-configurable paths. The following directories must be created and be writable by cloudera-scm:

HDFS (HttpFS role) - /var/lib/hadoop-httpfs

Oozie Server - /var/lib/oozie

Sqoop 2 Server - /var/lib/sqoop2

Solr Server - /var/lib/solr

Cloudera recommends that you create a prefix directory (for example, /cm) owned by cloudera-scm under which all other
service directories will be placed. In single user mode, the Cloudera Manager Agent creates directories under the prefix directory with the correct ownership. If hosts have additional volumes on them
that will be used for data directories Cloudera recommends creating a directory on each volume (for example, /data0/cm and /data1/cm)
that is writable by cloudera-scm.

Configuration Steps Before Starting the Installation Wizard in Installation Paths B and C

Perform the following steps for the indicated scenarios:

Path C - Do one of the following:

Create and change the ownership of /var/lib/cloudera-scm-server to the single
user.

Set the Cloudera Manager Server local storage directory to one owned by the single user:

Go to Administration > Settings > Advanced.

Set the Cloudera Manager Server Local Data Storage Directory property to a directory
owned by the single user.

Configuration Steps While Running the Installation Wizard

When configuring the first cluster in Cloudera Manager using the Installation wizard you’ll have the option to set up the cluster in single user mode. This configures the Agents to run
as cloudera-scm.

During the review configuration step you confirm that all the configured paths are writable by cloudera-scm. The directories themselves don’t have to exist
as long as the parent directory is writable by cloudera-scm.

Following the standard review configuration page, an additional paths configuration page shows all the configurable paths for the services that will be created in the cluster. These
must also be modified to be locations writable by cloudera-scm. In most cases, the paths that need to be modified from their default locations fall under two
categories:

Paths under /var - These are log, run, and data directories
for the different services.

Per volume data directories - These are data directory configurations that list a directory per volume. Such configurations are used by HDFS, MapReduce, YARN and Impala.

Configuration for Secure Clusters

You must perform some additional configuration when setting up secure HDFS in single user mode:

If this documentation includes code, including but not limited to, code examples, Cloudera makes this available to you under the terms of the Apache License, Version 2.0, including any required
notices. A copy of the Apache License Version 2.0 can be found here.